Prevent Javascript Get And Script

Is there anyway to limit Javascript Get, Post request to a specified domain? Also can I somehow disable JSONP? I want to develop a web content framework where people can include ja

Solution 1:

It's "disabled" by default. If you want to "allow" json, you would have to add jsonp callback. Without it, js isn't able to retreive json response.

Solution 2:

Instead of letting the users pick arbitrary javascripts, can you let them pick from a list of approved scripts, and rejects the edits if the scripts are not included from the right domain? Or can you use some sort of a custom markup, where instead of being allowed to write -tags, they write [include="pluginname"], and you convert that to a script tag yourself, it the plugin with the given name is found?

Content Security Policy is also has limited support in Chrome, but currently it's not really what you want, as its support and penetration in the market is limited.